System Features

In this section, we discuss some of the detection system features. The detection system is a network-based solution that identifies, detects, and blocks DNS-based attacks, including DNS tunneling attacks and DNS exfiltration. This work aims to determine the DNS-based attacks as soon as it happens in different forms, including the low-throughput and high-throughput DNS tunneling attacks. We implemented the detection system to work in two main modes: real-time and offline modes for better performance. The detection system is coded using Golang programming language for fast and stable performance. The detection system runs based on the Linux operating system and acts as a DNS proxy within the network to fully control the DNS queries and responses. Thus, some traditional DNS servers utilize blacklisted, and whitelisted domain names for blocking advertisements popup windows, such as Pi-hole [57]. In this work, the detection system can also use the concept of using blacklisted and whitelisted to improve the overall performance. The detection system also has the ability to perform other services that the traditional DNS proxy provides, such as caching domain names, which can cache DNS records for speeding up the domain name lookup process.

Also, in this work, the detection system blocks malicious DNS requests after being detected in real-time by caching and pointing the malicious domain name’s IP address to 0.0.0.0. in the DNS proxy. Thus, every time the malicious domain name is requested it replies with the loopback address. We also implemented an API web interface for the de-tection system that provides manual operations such as creating, removing, and modifying domain name records within the cache system. This feature also will be used to design a front-end web interface for future work.

In this chapter’s conclusion, we discussed the system architecture of the detection system against DNS-based attacks. The detection system is a network-based solution, as a DNS proxy, that targeting DNS tunneling attacks and DNS exfiltration techniques. Even though the adversary uses the low-throughput DNS tunneling technique, the detection sys-tem is able to detect and identify the attack. The detection syssys-tem consists of two main modules, including the Payload and traffic analysis modules. Thus, the detection system monitors and examines the DNS traffic in real-time employing the payload analysis module.

It also performs offline analysis every x minute(s) using the traffic analysis module. We show

more details about the detection system results and evaluation in the next chapter.

6 Results and Discussion

In this chapter, we show and discuss the detection system results. The detection system aims to detect and block malicious DNS-based attacks within the network. We em-ploy two detection modes in implementing the detection system that targets DNS tunneling attacks and DNS exfiltration. The real-time mode detects and analyzes the DNS queries from clients, while the offline mode captures and analyzes DNS data for a certain window period. Also, we compared the detection system results with Snort, the baseline intrusion detection system. Snort is a real-time intrusion detection system, and it is capable of not only monitoring and analyzing the DNS protocol but also other protocols against various Internet attacks. The approach that is used in this work is a network-based solution against DNS-based attacks, including the high and low throughput DNS tunneling attacks.

The network-based solution, which runs as a DNS proxy, consists of three main mod-els: visualization, detection using machine learning classifiers, and real-time modules. Thus, we performed three evaluation experiments individually for each module. DNS tunneling attacks are widely used by either adversaries or malware applications. This type of attack takes advantage of the DNS protocol, which is rarely monitored and accessible by most networks, to bypass firewall and modern security in-line appliances. For example, during our testing and evaluating experiment, a Firewalla was employed within the network. A Firewalla is a modern security router to detect and block various Internet attacks. While we were performing the actual attacks against the detection system, Firewalla could not identify any of these attacks because it does not have the capability of monitoring the DNS protocol.

The proposed detection system is implemented by using visualization techniques and machine learning classifiers to distinguish the DNS-based attacks. Designing a detection system using visualization and machine learning is not new. There are several studies on visualizing network traffic. In addition, there are numerous studies on detecting most Inter-net attacks. However, there are far fewer studies on DNS tunneling attacks and none of the known techniques perform as well as the technique that is proposed in this work. Thus, this section shows the experimental results for the detection system that we implemented and compares it with others.

6.1 Evaluation

The main focus is on building a network-based detection system for DNS tunneling attacks and DNS exfiltration techniques. To build a robust detection system, we created a local testbed environment to evaluate the system. To benchmark the performance of the detection system, we tested both well-known and custom DNS tunneling tools against the detection system. There are five main tools we used in this work. The five DNS tunneling tools that were selected and used to simulate the attacks include iodine, dns2tcp, Pack-etWhisper, DNSExfiltrator, data exfiltration toolkit (DET ), and Cobalt Strike. The idoine and dns2tcp tools were used in the experiments to simulate the DNS tunneling attack where the adversaries establish a covert channel over the DNS protocol, such as VPN connection.

Cobalt Strike is a stealthy advanced persistent threat (APT ) cyberattack that allows an adversary to gain unauthorized access to a network and remain undetected for an extended period of time. It is also defined as software for adversary simulations and red team opera-tions for performing security assessments, while the DNSExfiltrator and DET are tools for generating custom DNS exfiltration traffic that simulates malware scenarios. PacketWhisper is a modern attack that uses the DNS protocol. PacketWhisper is a special case scenario where the attacker is internal and performs the attack from in-site.

This work’s main benefit is to recognize and predict new threats with a low false-positive rate and low latency. We calculate the performance evaluation based on three metrics factors: Detection Rate (True-Positive rate), Precision (PR), and Accuracy (ACC).

Then, we compared the evaluation results with Snort, the open-source detection system. We consider a system that has less false-negatives rate with high accuracy as better.

6.1.1 Experimental Setup

This section discusses the experimental setup for the DNS tunneling detection system.

To evaluate the performance of the methodology, we employ the detection system within a local private network. The network environment is a home-based lab consisting of more than 20 devices, including IoTs, servers, mobiles, PCs, and laptops. The detection system is a network-based solution that runs as a DNS proxy to control and intercept the network traffic. The detection system acts as a primary DNS server for all clients in the network to guarantee that we intercept overall clients’ requests. The DNS proxy is capable of caching DNS requests for faster query lookup. For this experiment, we run the detection system for

four weeks to gather as much data for evaluating the system as well as we performed the DNS attacks using the tools to simulate the attacks.

A Debian Linux server is deployed and hosted in the cloud to act as a public DNS server, and all network clients are using the IP address of the DNS proxy as the primary DNS server. The detection system uses blacklisted domain name lists which protects clients from Internet attacks, including Phishing and spear phishing attacks. As we show in the results section, we blocked many advertisement websites based on blacklisted lists which been created by people.

Figure 6.1: An Overview of the DNS proxy Setup.

Figure 6.1 exhibits an overview of the experimental setup of the DNS proxy in the cloud where clients use the DNS proxy as their primary DNS server to resolve DNS queries.

Then, as soon as the DNS proxy receives the DNS queries, it checks for exists cached domain names to respond back to the client. If it does not exist, then it forwards the query to Google public DNS servers to resolve the request. Finally, Google public DNS sends back the results to the DNS proxy server, which sends the result to clients.